Lucene search

GoogleOSV:GHSA-FF9J-PWXG-Q5P2

HistoryNov 04, 2022 - 12:00 p.m.

deep-parse-json vulnerable to Prototype Pollution

2022-11-0412:00:25

Google

osv.dev

vulnerable

prototype pollution

external attacker

json keys

__proto__

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

36.9%

JSON

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the __proto__ property to be edited.

References

fluidattacks.com/advisories/buuren

github.com/sibu-github/deep-parse-json

github.com/sibu-github/deep-parse-json/issues/6

nvd.nist.gov/vuln/detail/CVE-2022-42743

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

36.9%

JSON

Related for OSV:GHSA-FF9J-PWXG-Q5P2